Re: Chornicle SIEM SSO with Azure Entra ID

Ricardo_Flores · 08-12-2024 07:22 PM

Hello Team, hope you doing good, we are trying to implement a SSO in one tenant ofChronicle SIEM (Google Security Operations) with Azure Entra ID, the login works well but when I see the user account it looks like a ID

Does any one know why this happen?
If is something about the claims in the Azure Entra ID ?
How we can fix it?
Regards!

jpetitg

Hi,

Looks like that the wrong field is pushed into the SAML response to access Google SecOps.

You might want to look into your Entra ID application for SAML to confirm the user attributes

alijaa56

issue is related to the attributes being sent in the SAML response from Azure Entra ID to Chronicle SIEM. If the user is appearing as an ID instead of a proper display name, it's likely that the wrong attribute is mapped for the NameID or other identifying claims. You should check the User Attributes & Claims settings in your Entra ID enterprise application for Chronicle SIEM. Ensure that the correct claim (such as user.displayname or user.principalname) is mapped to the expected attribute in Chronicle. You may also want to verify the SAML token configuration to confirm that the correct claims are included. If needed, you can capture the SAML response using browser developer tools or a SAML tracer extension to see which attributes are being sent. Adjusting the claim mappings in Entra ID should help resolve this issue. Let me know if you need further guidance!

Webinar May 29th: Log Ingestion: Bindplane + Google SecOps

Chornicle SIEM SSO with Azure Entra ID